two-factor
two-factor copied to clipboard
Use site_url() for the FIDO U2F AppId
Priority: Low, I use very rarely use option.
I propably find a error. I use TF 0.3, WP 5.0.3, Firefox 65, Yubikey 4 and Nginx.
When I select this same urls like example.com and example.com all works but if my site url is example.com and my blog url (WP admin and WP login) is abc.123.xyz I am not able to login. abc.123.xyz/wp-login show destroy session error and Firefox don't show fingerprint icon.
Is that with the U2F key? The U2F protocol relies on the AppId which we set to the home_url()
here:
https://github.com/georgestephanis/two-factor/blob/f33778a5f72a08550cc7f25ab93f67bfd44c7c1d/providers/class.two-factor-fido-u2f.php#L90-L98
And per home_url()
docs:
Retrieves the URL for the current site where the front end is accessible.
So site_url()
would actually be more appropriate.
However, it has been like that for the past four years https://github.com/georgestephanis/two-factor/commit/b5df9bac4e1c255c661407eb70568ad141df6bda and it could introduce a regression if we change it right now.
Maybe add a filter to allow changing that?
Yes, U2F key. By the way I find similar problem with OpenID plugin (I am stuck after login with message "put key" but without fingerprint icon).
I understand, anyway it's extremal situations. Closed.
However, it has been like that for the past four years b5df9ba and it could introduce a regression if we change it right now.
In most cases the home_url()
and site_url()
are probably the same. In cases where they're not, this is almost certainly broken right now. It seems unlikely that fixing this will cause more problems.
@joshbetz I agree! I know WP VIP has home_url()
return the top-level domain and site_url()
return the *.wordpress.com
domain.
Let's get this fixed.
So, by coincidence, I pointed to a possible problem with wordpress.com? Good to know ...
U2F is deprecated and no longer works in Chrome, so the provider is being removed in #439 . Given that, there's probably no reason to keep this open anymore.